store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Oct 22, 2014 11:22 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Tue Feb 28, 2012 6:53 pm 
Offline
Forum User
Forum User

Joined: Mon Mar 26, 2007 9:47 am
Posts: 40
Hi

One of my clients recently paid for ASL on my recommendation. They've got a brand new EC2 instance they're running it on. It's running Amazon Linux, which I think is a supported configuration for ASL.

On the first install, the ASL installer bombs out (when updating RPM packages), saying

Error: Package: 1:kernel-2.6.29.6-1.art.i586 (asl-3.0)
Requires: mkinitrd

I've tried using the support / ticket system, but all I've got is a reply saying that I should contact Amazon directly to resolve the problem and to try and obtain a copy of mkinitrd from Amazon. Before I do that, does anyone have any info / experience with using Amazon Linux with ASL? Does it normally just work with the standard EC2 instance, or are there any tweaks that have to be done?

Support also mentioned a workaround, which is to bypass the kernel install. We'd definitely like to install the kernel if possible - especially if it's something that can be made to work with Amazon Linux.

My worry is there may be other dependency issues, even if Amazon are able to send me a mkinitrd package - so it would be great to have any feedback on how installation has gone, etc.

Thanks in advance for any help!

Tom


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Tue Feb 28, 2012 7:19 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7936
Location: earth
Amazon is using a weirdly customized version of centos (or maybe rhel? scientific linux?). I'm not sure what they were trying to acomplish with a few of them... unless it was to break compatibility with all the folks out there that make apps for EL (enterprise linux) environments.

That mkinitrd doesnt exist at all... man.... thats bad. Presumably its because you dont have a kernel under your control. I can understand that its not relevant in certain environments where the kernel is not controllable (also very very bad) but its such a small package & so many other things depend on it (initscripts....glibc... etc) I can only imagine that it was done because:
1) they like increasing their support costs
2) they havent got any visibility into the way it interacts with other stuff.

both dont bode well!

If I could put something together to convert that system to CentOS or something else would you be interested in that?


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Wed Feb 29, 2012 3:15 am 
Offline
Forum User
Forum User

Joined: Mon Mar 26, 2007 9:47 am
Posts: 40
Hi Scott

Thanks for the reply! Yeah, it seems really odd. But for now, even if we can't get the hardened ASL kernel in place straightaway, it would be great to persevere with the install and see if it gets anywhere. I've done the "touch / skipkernel" and re-run the installer. That then seems to remove the dependency on mkinitrd. But I then get a further dependency issue, which is:

Error: Package: roadsend-php-libs-2.9.8-8.el5.art.i386 (asl-3.0)
Requires: libcurl.so.3
Error: Package: roadsend-php-libs-2.9.8-8.el5.art.i386 (asl-3.0)
Requires: libodbc.so.1

I think I was thrown a bit by the support response on the ticket system, because I'd thought that the Amazon Linux release was a supported configuration for ASL. Are there any walk-throughs for installing ASL with Amazon Linux, or something I can work through?

The CentOS option might be good - thanks. I have ASL running on other CentOS boxes on EC2, and they work fine, so I know that's a good solid configuration.

Thanks in advance,

Tom


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Wed Feb 29, 2012 3:27 am 
Offline
Forum User
Forum User

Joined: Mon Mar 26, 2007 9:47 am
Posts: 40
Hi

Just a quick update to my previous post... It looks from the Amazon Linux release notes, that they have obsoleted mkinitrd in favour of dracut:

http://www.ramoonus.nl/2011/10/15/amazo ... -released/

Is there a way that ASL can support dracut instead? I have to say, I'm not really familiar with dracut. It looks like this change happened in the 2011.09 release of Amazon Linux.


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Wed Feb 29, 2012 9:41 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7936
Location: earth
Yeesh... they just went off the reservation there. Yes we support AMI.. and last time we checked 2011.09 was based on EL5 which did not use dracut (dracut is an EL6 component, which is where we support it).

Then youve got your libcurl and libodbc issues, those come from the curl and unixODBC packages respectively. Both of those come from the distro vendor and they're pretty important packages. They would absolutely break compatibility with atomic, epel, rpmforge, etc. You definitely need to report those up to amazon as a problem.


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Wed Feb 29, 2012 7:47 pm 
Offline
Forum User
Forum User

Joined: Mon Mar 26, 2007 9:47 am
Posts: 40
Hi

I'm not sure if me reporting this to Amazon is going to make them go back to using mkinitrd or get us any closer to ASL being compatible with Amazon Linux again. Is there anything that my client can do for now, or is better for them to request a refund for now and see if it can be made to work in future?

I think the ideal thing would be if you guys are able to get an instance running with the latest Amazon Linux, replicate the install problems and launch a discussion with them to try and get it resolved and working with the latest version. Would it be possible for you to do this and let me know when it's looking more hopeful?

I think if I report this to Amazon as a bug, they're just going to refer me straight back to you, saying that ASL isn't compatible with Amazon, whereas if you're able to talk directly to them as developers, you should be able to resolve it a lot more quickly.

Thanks in advance,

Tom


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Wed Feb 29, 2012 8:41 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7936
Location: earth
If this was strictly an atomic & asl integration issue, sure. We're talking about things like integration with EPEL (which they are saying they support) as well. I cant do anything about fixing that, and EPEL would rightly put this back at Amazon.

To make this more interesting, I do have access to AMI images at the same version that do not have this issue. So that begs the question... is the AMI version the thing that matters here? Is there some kind of out of band update channel going on? And if so how are we as users of that environment to have high assurance that there wont be some kind of update that will break compatibility again?


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Fri Mar 02, 2012 9:57 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 672
I thought Atomic didn't support EC2 at all because of the kernel problems?

From a support ticket
Quote:
All we can say is it seems AWS is really slow, like there is something wrong with AWS. Our parent company works with a number of large apple application developers (in the top 5) and of the 2 that used AWS they both moved off it. And neither of them was using modsecurity.

So all we can say is AWS is really slow, we would not recommend you use it. Scotts team spent several weeks looking into AWS, and it seems like it might be the older version of Xen they use and their older kernels:

Linux ip-10-32-81-223 2.6.18-xenU-ec2-v1.2 #2 SMP Wed Aug 19 09:04:38 EDT 2009 i686 i686 i386 GNU/Linux

A lot has changed since 2.6.18, and that kernel is missing a lot of the real time speed improvements too.

But we're open to ideas. The fact that apache itself without modsec is so slow tells us something is wrong with their builds, if you have any ideas we're all ears.

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Fri Mar 02, 2012 10:19 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7936
Location: earth
Except when you can.... AWS is super consistent like that :P


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Fri Mar 02, 2012 11:28 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
Quote:
I thought Atomic didn't support EC2 at all because of the kernel problems?


We support it. Not sure what that quote has to do with not supporting it, we never said we don't support Amazon.

What we said is that EC2 is slow, on Amazons kernel, and without modsecurity installed. You opened a case about Amazon being slow, and we can tell you that we have also seen that. If you want to use Amazon, please do, just know that they provide a much slower platform (significantly) than any other virtualization provider we have worked with and that its repeatedly a slow platform without modsecurity, ASL, or anything from us installed. Slow enough in fact that our parent company had to move some large and popular Apple application developers off it (and they were not using ASL or modsecurity either).

Its just a slow platform.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Atomic Secured LInux support for Amazon EC2
Unread postPosted: Thu Mar 27, 2014 12:01 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jun 09, 2009 12:57 pm
Posts: 179
mikeshinn wrote:
We support it. Not sure what that quote has to do with not supporting it, we never said we don't support Amazon.

What we said is that EC2 is slow, on Amazons kernel, and without modsecurity installed. You opened a case about Amazon being slow, and we can tell you that we have also seen that. If you want to use Amazon, please do, just know that they provide a much slower platform (significantly) than any other virtualization provider we have worked with and that its repeatedly a slow platform without modsecurity, ASL, or anything from us installed. Slow enough in fact that our parent company had to move some large and popular Apple application developers off it (and they were not using ASL or modsecurity either).

Its just a slow platform.


This still holds true in 2014?

_________________
CentOS 6.5 (2.6.32-431.11.2.el6)
ASL 4.0.5-16
Webmin 1.7.0.1
Virtualmin 4.10.gpl
Apache 2.2.15
PHP 5.3.3 (mod_fcgid/2.3.7)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group